000000000 GGGGGGGGGGGG IIIIIIII1 NNN NNN 
LLL 000000000 GGGGGGGGGGGG III NNN NNN 
LLL 000000000 GGGGGGGGGGGG IIIT NNN NNN 
LLL 000 000 GGG II] NNN NNN 
LLL 000 000 GGG IIl NNN NNN 
LLL 000 GGG Il NNN NNN 
LLL 000 000 GGG Ill NNNNNN NNN 
LLL 000 000 GGG II] NNN NN 
LLL 000 000 GGG Ii] NNNNNN NNN 
LLL 000 000 GGG II] NN NNN NNN 
LLL 000 000 GGG II] NNN NNN NNN 
LLL 000 000 GGG III N 
LLL 000 000 GGG 66G6G6GGGG6G II] NNN NNNNNN 
LLL 000 000 GGG 666666666 Il NNN NNNNNN 
LLL 000 000 GGG 666666666 Il NNN NNNNNN 
LLL 000 000 GGG GGG II] NNN NNN 
LLL 000 000 GGG GGG II] NNN NNN 
LLL 000 000 GGG GGG II] NNN NNN 
LLLLLLLLLLLLLLL 000000000 GGGGGGGGG IIIIIIII NNN NNN 
LLLLLLLLLLLLLLL 000000000 GGGGGGGGG IIIIIIII1 NNN NNN 
LLLLLLLLLLLLLL 000000000 GGGGGGGGG IIIT NNN NNN 
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; 1 0001 8 MODULE breakin (IDENT = ‘V04-000', : 
H ¢ b008 ADDRESSING_MODE(EXTERNAL = GENERAL)) = : 
; i 1 BEGIN 3 
 £ BE | 
: $ 0006 i PITIIILILILILILL LILLE LILLE Ti iLL Tii ii iiiiiiiiiiiiite | : 
4 8 $008 1 !* COPYRIGHT (c) 1978, 1980, 1982, 1984 BY 6 : 
; 9 0009 1 i* DIGITAL EQUIPMENT CORPORATION, MAYNARD, MASSACHUSETTS. x : 
3 19 Bots : i ALL RIGHTS RESERVED. « H 
3 ! * 3 
$ \¢ Bpig 1 !* THIS SOFTWARE IS FURNISHED UNDER A LICENSE AND MAY BE USED AND COPIED * ; 
as 015 1 !* ONLY IN ACCORDANCE WITH THE TERMS OF SUCH LICENSE AND WITH THE * ; 
: 14 0014 1 !* INCLUSION OF THE ABOVE COPYRIGHT NOTICE. THIS SOFTWARE OR ANY OTHER * . 
: 15 0015 1 !* COPIES THEREOF MAY NOT BE PROVIDED OR OTHERWISE MADE AVAILABLE TO ANY * : 
3 16 0016 1 !* QTHER PERSON. NO TITLE TO AND OWNERSHIP OF THE SOFTWARE IS HEREBY * . 
; + Baie | it TRANSFERRED. ® 3 
; : * : 
; 19 0019 1 !* THE INFORMATION IN THIS SOFTWARE IS SUBJECT TO CHANGE WITHOUT NOTICE * : 
: 20 Bost 1 !* AND SHOULD NOT BE CONSTRUED AS A COMMITMENT BY DIGITAL EQUIPMENT * ; 
3 $) Ops) : re CORPORATION. * ; 
° . *® Py 
3 $8 00 : 1 !* DIGITAL ASSUMES NO RESPONSIBILITY FOR THE USE OR RELIABILITY OF ITS * : 
; Se 4 : ! i SOFTWARE ON EQUIPMENT WHICH IS NOT SUPPLIED BY DIGITAL. * : 
3 : * s 
; = 0026 1 !* * : 
3 sf ot 34 ; Lee ERA RARER ARATE EEEEEE ‘ 
; 29 0009 1 its ; 
3 0 0030 1 ! FACILITY: Login : 
; HH 0031 1! 3 
se itt 1 ! ABSTRACT: 3 
;. 3 0033 1! 3 
; | 634 0034 1! This module contains all the routines to scan and manipulate the 3 
oe | 0035 1! Compound Intrusion Analysis blocks, add new entries to the CIA 3 
: $$ ie) : queues, locate intruders, and renove suspects. : 
: 38 0038 1 | ENVIRONMENT: ; 
;- 0039 1! : 
; 40 0040 1! VAX/VMS operating system. : 
; (41 0041 1! $ 
; 42 ones 1 ! AUTHOR: Gerry Smith 12-July-1983 : 
; 643 0045 1! : 
; $3 Boe ! Modified by: : 
> 46 0046 1 | V03-006 ACG0436 Andrew C. Goldstein, | 23-Jul-1984 17:25 ; 
3 rtf 944 } Add support for LGI_BRK_TERM, put result in global cell : 
: 49 049 1: v03-005 MHB0131 Mark Bramhall 5-Apr-1984 ; 
: 20 $20 ! Change to new TERMINAL_DEVICE flag. : 
; 52 0054 1 i V03-004 ACG0390 Andrew C, Goldstein, 18-Jan-1984 11:33 ; 
3 e7 27 ' : Fix arg List mismatches (remove unused username) : 
; é6 055 1! v03-003 ACG0376 Andrew C. Goldstein, 22-Nov-1983 11:02 

; 28 B26 1! Redesign match algorithm to reduce service denial 

3 7 057 1! problems, fix expiration of old entries. 
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22-Sep-1983 


Gerry sayen 
f a terminal is gp MA see if there's another device, 


4 

! 

' 

the actual physica 
| v03-001 GASO185 
1 

' 


is between and 1 


parameter. 


Include files 
LIBRARY 'SYSSLIBRARY:L18'; 


i Declare the Linkages to allocate and deallocate 
as grab the CIA mutex. 


! VAX/VMS 


LINKAGE 

CVTDEV = JSB (REGISTER = 0, 
REGISTER = 1. i 

REGISTER = 4. i 

REGISTER = 5: i 

REGISTER = 15, i 

ALLO = JSB (REGISTER = 1; i 
REGISTER = 1 

REGISTER = 25: i 
NOPRESERVE (3,4,5), i 

DEALLO = JSB (REGISTER = 6): i 
NOPRESERVE (1,2,3,4,5), i 

LOCK = JSB (REGISTER = 6 i 
REGISTER = 45; i 


device, associated with the terminal. 


-1983 


Gerry Smith versee 
Add eeneearans to the hide time, so Fhet the actual hide time 
x 0% of that spec 


fied by the SYSGEN 


system definitions 


nonpaged pool, as well 


' Length of output buffer, 
' Address of output buffer 
' Format of device name 

' Address of UCB 

! Length of final name 


R1 = size (on input) 

Ri = size of block 

R2 = address of block 
R3, R4, RS destroyed 

RO = address of block 
R1i-R5 destroyed 

RO = address of mutex 
R4 = PCB address 


Macro to set the processor interrupt priority level register 


BUILTIN 


MACRO !' set processor IPL 
SET_IPL (LEVEL) = MTPR (ZREF (LEVEL), PRS_IPL) 


<@ 


D 10 
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_ 
oO 
uw 


' 

Table of contents 

FORWARD ROUTINE 
cia_scan, 
check_intruder, 
check_suspect, 
add_suspect; 


fojelolololeo) 


Set up for elevated-IPL scans 
Check intruder block 
Check suspect block 
Add a suspect block 


i] 
External routines 


EXTERNAL ROUTINE 
ioc$cvt_devnam : CVTDEV, 
sch$lockw : LOCK, 
sch$unlock : LOCK, 
exeSalononpaged : ALLO, 
exe$deanonpaged : DEALLO; 


Construct device name from UCB 
Lock CIA mutex 

Unlock CIA mutex 

Allocate non-paged pool 
Deallocate non-paged pool 


' 
Declare system areas 


EXTERNAL 
break_attempt : BYTE 
terminal_device : BYTE, 
phy_term_name : VECTOR 
uaf_record : REF $BBLOCK, 
org_username, 
ct(Sgl_pcb : REF S$BBLOCK, 
ctl$t_nodename : VECTOR(,BYTE), 
ctl$t_remoteid : VECTOR(,BYTE), 


Be Se Ge Ge Se Ge Ge Fe Ge Ge Ge Ge Se Ge Se Ge Ge Se Ge Se Ses Se Se Fe Se SE SHSe Se Sse ests Se Se Se Sess tee 
ee ee ce ce ce ee ce ee el ce el el el el el cel cel el el eel el cel cel cel eel cel cel cel eel cel eel eel 
AIA AN AAI NITIIIINIIN 3S 3 3 3 OCD 
NOU EWN OC ODNOUESWN OO ONOULWN—ODO 
SOSSCOCSOSDSCSCOSCODDOOOOODOOOCOOOOOOOOCOOCOOOOOO 
Ce ee ee ee ee eee 
ES PWN inononononononononon 2 2 
WN =D ODNAUSWN —OODNOULS WN ODODNOUNE 
ce ec ee a ce ee ee ee ce ee ce ee ee ee ee ee ed eed ed od 


4 
5 cia$gl_mutex, 
6 cia$gq_intruder : S$BBLOCK, 
7 sys$gb_brk_lim : BYTE, 
39 8 sys$gl_brk_tmo, 
40 9 sys$gl_hid_tim, 
$) ? exe$gl_dynamic_flags : BITVECTOR; 
a8 § EXTERNAL LITERAL 
4&4 exe$v_brk_term : UNSIGNED (6); 


10 
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; 14 144 1 GLOBAL ROUTINE cia_scan (intruder) = 

s 14 145 BEGIN 

: 4148 14 

: 188 ae Si 

: 131 128 i This is the routine that is called to start either a suspect 
$ : § : » or intruder scan. 

: 154 1 : i Inputs: 

s 155 1 } intruder = indicator for which type of scan to perform 
s 136 154 ! 1 ==> intruder List 

; 4 : 5 0 ==> suspect List 

: 122 ae Outputs: 

3 ! one. 

s 161 1 ! 

5 166 0160 ! Return status: (low bit) 

:; 16 0161 ! - intruder (either new, or in evasive action) 

> «166 3106 ! 1 = just another suspect, or an expired intruder 
qe HEE 

: 167 0165 2. 

3; 168 8198 BUILTIN 

: 169 16 emul, 

3; 170 8188 addm, 

3; 6171 199 cmpm, 

Gh Poke S || Pitiaees: 

: 17% 17 LABEL 

: «175 b198 cia_search, 

3 176 bios cia_check; 

: ide 158 § Loca 

: 179 6179 type : BYTE 

> 180 0178 data : VECTOR Fc ia$s_data, BYTE), 

: 181 17 time : VECTOR(C2), 

: 185 O18 1 

> 184 O18¢ ummy , 

; «185 1 status, 

: 186 184 next, 

s 187 185 cia : REF S$BBLOCK; 

1 OBE, 

: 159 1 g i Get the current time. 

3; «6191 1 ! 

3 136 1 Sgettim (timadr = time); 

: 194 19 ! 

3 «6195 198 ! Get the data string to match on, which is meant to correspond to the 
: 138 194 ' source of the login. It is, in order of preference: 

: 19 195 ! node name and remote | 

; 198 136 $ terminal if a real terminal plus username if real user 
3 +4 : original username (presumably creator of this process) 
; 201 199 if -ct | $t_nodenanef9) NEQ ! If node present, 
; 202 200 OR .ctl$t_remoteid NEQ 


——S — —_ 
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BREAKIN $ep-1984 01:49:34 AX-11 Bliss-32 V4.0-742 Page 5 
be 12-888: - 38 93:35 241: ‘be LOGIN. SRCIBR REAKIN.B32;1 . (3) 
! get the remote node ID, 
cia$k_network; 
Chefopy<. casement , ! Copy the nodename first, 
name 
cetlst srenoteidt OJ ‘ ! then the remote id 
ctl$t_ TFemoteid 
0 cia$s_data, 
data); 


END 

LSE IF .terminal_device 

HEN 

BEGIN 

4 -exe$gl dynamic. flagsCexe$v_brk germs 
THEN term_Tength = .phy_term_namel0 

ELSE term_length = 6; 


IF .uaf_record NEQ 0 
doo 


tye. = cia$k_term auser: 
CHSCOPY(. os plensth. 
phy. term ~name(1), 
uaf$s_username 
uaf ~récordluafét username), 


stele: dates 
data); 
END 


BEGIN 

type = ciaSk_terminal; 

CHSCOPY(. tera Length, 
sPhy. ferm_name(1), 


ELSE 


MOIPOPOPOPIPOPOPOPT 


PP AAAI BS BS BE BE EE EWI reser -eundase2o ns oo 


ital tutes 
data); 

END; 

END 


type = cia$k_username; 
CHSCOPY (uaf$S_username, 
org. username, 


cia$s_data, 
data); 
END; 


i Set up pointers to the address of the data. Also set STATUS = 1, to show 
that nothing so far. 


SOOOSOSOOOOOOOSOCOOOCOOOOSOSOSSOSSSOSSSOSSOSOOOOOSOOCOOOOOOCOOOOOOOOOOOOO 
RIPIPPIPOPIPIPINIPIPIPIPIPUNIPIPINPIPONPINPINPINPINYNPYD 


NONE AN 9 OO NOUN WIN 9 OD NOU EWI SOO ONOAUE WN OO OONOAUE AR OVO ONOUS Wn 
RIP IPIPIPIPI NNN HHH BBB EE PAR EE BEE EF PWN IRI NII INNO 
mm — 

- = 

wn m 

z 


Se Se Ge Be Ge Se Se Ge Se Ge Se Se Ge Se Ge Se Se Ge Ge Se Ge Ge Ge Ge Fe Se Gs Se Ge Ge Se Ge Se Se Se Se Ge Se Se Ge Se Fe Se Se Se Se Se See See Geese Se See ee 


PUPP B® BS BS BB BEE EWI AAI IP POPINOPIPONPININYDY 2 2 OO Os 


status = 1; 


<o 
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SOOCOOSOOCSOOCOCOCOOCOOCOOCOOCO OOO OOOO OOOOCO OOO OOOO OOOO OOOO OOOO OOOO 
PUPP SIND. INNIS SSS SNP PAPA A AAA AA MTU NAIA NIUPOPORIPD 
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Be Se Be Se Se Se Se Se Se Se Se Fe Se Se Fe Se Ge Ge Ge Se Se Ge Ge Ge Ge Fe Ss Ge Ge Ge Ge Se Ge FF Se Se Ge Se Se Ge se Ge SH Se Se Se Se Se Se Se Se Se Sees Se Seas 
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Oufwn—o 
wt O00 


ee A ed a 


' 
: Scan the lists, if there are any blocks. 


cia search: BEGIN 
schSlocky< ia gl mutex, .ctl$gl_pcb); 


a= .cia$gq_intruder; 
are. cia EQL cia$gq_intruder 


oe 
cia check: pEGIN 
next = .cialciaSl_flink); 


a simple compare of the entry 


THEN 
BEGIN 


count set to one short of the Limit. The 


IF .cialcia$v_intruder) 
THEN 


BEGIN 
cialcia$v_intruder] = 0; 
ciatcia$w_count = -sységb_brk 


delta = .sSys$qb_br m* ,sys 
emul CIREF 170800000, f 
a 


ELSE 

BEGIN 
ronget.6%8. dummy ) ; 
exeSdeanonpaged(.cia); 
toe cia_check; 


18-5 “1 
12-8ep 


<9 


Check expiration on each entry ad Meant a Rp be Abe. done with 
s time against curren me. 


IF cmpm (2, cialcia$q_time], time) LEQ 0 


An expired intruder is turned back into a suspect with the 
time is computed 
from the current time plus the count times the break timeout. 


Convert seconds into delta time 
s : 
addn , time, Cialcia$q_time), cialcia$q_time)); 


: An expired suspect entry is removed from the List. 


' Remove the biock 
! And return to pool 
! No entry to check 


! Now check for a match on the type we are looking for. 


BREAKIN $ep-1984 01:49:34 AX-11 Bliss-32 V4.0-76 Pp 7 D 
706-000 16> Sep-1984 Metide «RBG IN. BacSoreactncosoes ah V 
1 EQL .cialcia$b_subt 
} bro ENB Eot ‘fis data, Thaed Pe data, cialcia$t_data]) 
! If we have a matching block, make the appropriate checks. 
THEN 
EGIN 
IF .intruder 


THEN status = check_intruder(.cia, time) 
ELSE status = check_suspect(. cia, time); 
ore cia_search; 


END; ! end of block CIA_CHECK 
cia = .next; 
END; 
' 
i If this is a failed login and no List entry was found, create a 
suspect entry. 


if NOT .intruder 
THEN add suspect (. type, data, time); 
END; ! end of block CIA_SEARCH 


' 
Unlock the mutex and lower IPL. 


SchSuntock(ciaSgl_mutex, .ctl$gl_pcb); 


TURR .Status; 


Se Ge Se Ge Ge Se Ge Se Se oe Ge Se Se Ge Se FF Se Se Ss Se SH Se Oe Se Fe SS S46 ee SH Ss Se oe 


presk attempt = NOT .status; 
.TITLE BREAKIN 
“IDENT \V04-000\ 
.EXTRN IOCSCVT_DEVNAM, SCHSLOCKW 
-EXTRN SCHSUNLOCK, EXESALONONPAGED 
-EXTRN Shep DEANONPAGED 
[EXTRN BREAK_ATTEMPT, TERMINAL_DEVICE 
“EXTRN PHY_TERM NAME, UAF_ RECORD 
“EXTRN ORG” USER RRAME cTt oe 
“EXTRN CTLST NODENAAE T_REMOTEID 
“EXTRN CIA$G orn _MUTEX tih ska INTRUDER 
“EXTRN SYS$GB_BRK_LIM, vesGL _BRK_TMO 
“EXTRN SYS$GL~ HID “TIM, exe XESGL ~DYNAMIC_FLAGS 
“EXTRN EXESV_BRK_TERM, SYSSGETTIM 
.PSECT S$CODE$,NOWRT,2 
OFFC 00000 .ENTRY CIA_SCAN, Save R2,R3.R4,R5,R6,R7.RB,.R9,R10,-; 0144 
SE CO AE 9E MOVAB -64(SP), SP : 
3 DD PUSHL SP + 0190 
000000006 00 FB CALLS #1, SYSSGETTIM : 


57 


57 


38 


38 


20 090000006 


20 000000006 


09 000000006 


20 


20 04 


20 


20 000000006 


58 000000006 
000000006 


; 000000006 
88 08 


38 000000006 
88 000000006 


50 000000006 
56 000000006 
5A 
58 
57 08 
60 
57 
58 
A6 
5A 
60 

08 
5 
0 

08 
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“Sep-1984 01:49:34 AX=11 Bligs-32 V4.0-74 
300-1382 Mb eFide LOGIN. SRC BREAKIN. 83074 
MOVZBL CILST_NODENAME , RB 
NEG $ 
TSTB GILST_REMOTEID 
BEQL 
1$: MOVE #3, TYPE 
MOVZBL cTLst REMOTEID, R9 
MOVL #56, R7 
MOV DATA Rg 
MOVCS RB, CTLST_NODENAME+1, #32, R7, (R6) 
BGEQ. 7 
ADDL2 RB, R 
SUBLO RB. R 
MOVCS R9, CTLST_REMOTEID+1, #32, R7, (RO) 
BRB 7$ 
2s: BLBC §- TERMINAL_DEVICE, 6$ 
BBC S*EXESV BRK TERM, EXESGL_DYNAMIC_FLAGS, 3$ 
MOVL PHY TERR_NARE, TERM_LENGTH 
$: CLRL =‘ TERM_LENGTH 
$: MOVL PHY_TERM_NAME+4, RO 
MOVL AF-RECORD, R6 
BEQL 
MOVE We TYPE 
MOVL #56, RB 
MOV DATA, R7 
MOVCS TERM_LENGTH, (RO), #32, RB, (R7) 
BGEQ 
ADDL2 TERM_LENGTH, R7 
SuBL¢ — TERM-LENGTH, RR 
MOVCS #32,74(R6), #32, RB, (R7) 
BRB ‘ 
5$ MOVB. #1, TYPE 
MOVCS TERM_LENGTH, (RO), #32, #56, DATA 
BRB 


7$ 
#4, TYPE 
MOVCS #32, ORG_USERNAME, #32, #56, DATA 


7$: MOVL #1, STATUS 
MOVAB CLASGL_MUTEX RO 
MOVL  (CTLSGLPCB, R4 
JSB SCHSLOCKW 
MOVL  CIA$GQ_INTRUDER, cuA 
as MOVAB CIASGQ"INTRUDER, R 
CMPL § A, RO 
BNE 
BRW 18$ 
9$ MOVL (CIA), NEXT 
MNEGL #1, RO 
CMPL ; (CIA), TIME 
BLSS $ 
BGTR 108 
CMPL  16(CIA), TIME 
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Routine Base: S$CODE$ * 0000 


418 bytes, 


: 
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1 1 ROUTINE check suspect (cia, time) = 
BEGIN 


'ee¢ 
! 


i Check i/ enough login failures have occurred to change the suspect 
; to an intruder. 


Inputs: 
cia = address of the Compound Intrusion Analysis block 
time - address of current time of login failure 


; 

' 

i 

: Outputs: 

: None. 
i 

i 

i 

i 

' 


Return status: 
0 - this is an intruder 
1 = just another suspect 


—s, 


time : REF VECTORC,WORDJ, 
cia : REF SBBLOCK; 


LOCAL 
delta : VECTOR (2); 


i Bump the count of login (perhaps breakin) attempts. Also bump the 
expiration time of the entry. 


cialcia$w count) = .cialciaSw_count) + 1; 
enul (sysSql are tmo ' Convert timeout into 
REF (T90000005 , i delta time value 


get tel: 
addm (2, delta, cialcia$q_time), cialcia$q_time]); 


1 

! If the number of attempts is greater than the number of retries allowed, 

!' then remove the CIA block from the suspect queue and put it on the 

: intruder queue. 

if ,c tale iasw_count) GTR .sys$gb_brk_lim 
BEGIN 
LO 


CAL 
semi_second; 


9 
4 
98 
95 
7 
99 


WANA 


Bo Be Se Se Se Se Se Se Se Ge Se Se Fe Se Ge Ss Se Se Ge Se Fe Ge Ge Fe Fs Ge Se Ge Ge Se Se Ge Ge Ge Se Ge Se Se Se Se Se Se Se Se See Ge Se SeSe ee Se Se Se Sesee 


Ran 


i Obtain a number between 10000000 and 15000000, which represents a unit of 
! time between 1.0 and 1.5 seconds. 


eel 


10 
iB-Sen-1984 01:49:54 ANH BLigg-52_v4.0:742 


; 408 405 ' 

; 409 4 $ ! This is done by taking the system time, and using the longword in the 

; 41 4 ! "middle’’, swapping the word { hat longword, scaling th antit 

: cit | : down to be in the Penge of 808 060 or tots. and adding 10000000. , 

; t18 410 4° BEGIN 

; 4146 11 4 MAP semi_second : Ho RC2,WORDI; 

> 415 ti§ 4 semi_second a) = time ¢ 3 ! Get middle longword 

: 213 ti? 4 peat secant = .timel1J; ! swapping words on the way. 
3 a3 415 semi_second = .semi_second / ((1*31-1)/5000000) + 10000000; 

; 4 a1 emul (sys$gl_hid_tim, ! Multiply the hide time 
; ? 1 213 pont ase” ° ! to get number of seconds 
: 4 i 420 giatciaSa_tine)); ' and put it in the block 
: 424 421 addm(2, ! then a 

>; 425 4, § otime ! the current time 

; 4 § 4 cafe {asa_tine) } 

; 4 0424 ete cia$q_tim 5; ! and put it in the block 
> 428 8 5 ciaCcia$v_intruder] = 1; ! Show it’s an intruder 

; 429 6 RETURN 0; 

: 23 0458 ste 

; 432 0429 2 RETURN 1; 

; 43 0430 1 END; 


Q000C 00000 CHECK_SUSPECT: 
WORD 


Seye R2,R3 
SE 0c C3 9002 SUBL2 #12, SP 
” oF i Be 8098 INC Cheon” 
04 AE 00 00989680 ef 0000000 G 00 ah 900¢ EMUL SYSSGL_BRK_THO, #10000000, #0, DELTA 
23 04 AE 6 001 ADDL2 DELTA, RR) 
04 As 08 Ar p 00 ADWC DELTA, 4(R3) 
a 31 000000006 i A 00 NOVZBL SYSSGB_BRK_LIM, R1 
3 0 5 BGEQU 1$° 
51 8 aC D MOVL TIME R1 
6E 4 Al B MOVW 4(R1S, SEMI_SECOND 
02 AE 2 al B C MOVW 2(R1), SEMI~SECOND+2 
52 6 09 OIA 8F 41 DIVL3 #429 SEMI SECOND, R 
6E 0 68 F E 00049 MOVAB 10 60 (R2), SEME SECOND 
63 00 6€ 000000006 A 9 EMUL  SYSS$GL HiD_tin, SEMI_SECOND, #0, (R3) 
6 61 ¢ ADDL2 = (R1), TR3) 
04 A 06 Al f ADWC «= 4(R1$, 4¢R3) 
Cc (OA 1 BISB2 #1, 12(RO) 
4 3 BRB 2$ 
50 1 : i 1$: ROVL #1, RO 
50 D4 2$: CLRL = RO 
4 00060 RET 
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eReAKIN iSoBeoct9Re O1:48:E  yAReHy OLiggc32 v4. s749 rase 12 


; Routine Size: 110 bytes, Routine Base: S$CODE$ + 01A2 


i 10 
06-000 1er$ep-1986 faietioe — ECSGIN. SAcSBREAKI 


3; 4 1 ROUTINE check_intruder (cia, time) = 

3 2 4 BEGIN 

: 4 4 loee 

° i 

3; 440 4 § i Chock if List entry is an intruder (for otherwise successful 
: 441 i yalidation). 

3 tts 4 3 ! 

3: 44 4 i Inputs: 

: 446 440 ! cia = address of intruder block 

3; 4465 4) ! time - current time 

3 $08 tg ! 

; 44 4 ' Outputs: 

; 448 444 ! none 

3; 449 45 ! 

3 t29 ‘8 ' Return etetue: 

; 451 4 } 0 = this is an intruder, perform evasive action 
3 +26 re ! 1- this is only suspect, no action 
3 465 4 ! 

3 «6454 50 leone 

; 455 $2) 

3 $28 § MAP 

3 § 5 cia : REF $B8BLOCK; 

; 458 54 

3; 459 455 LOCAL 

; 460 2 dummy ; 

; 461 045 

; 46 9k ! 

3 ret #4 : If this is not an intruder entry, take no action. 
3; 465 0461 if NOT cate intruder) 

; res | re) THEN RETURN 1 

; 46 Bee 

: 468 464 cialcia$w_ Se -cialcia$w_count] + 1; 

; 469 0465 ¢ RETURN 0;~ 

; 470 0466 END; 


0000 00000 CHECK_INTRUDER: 
WORD 


50 4 MOVL erie ~ 
04 ge Ae itd BLBS i2tho) 1$ 
0 OOOA ROVL #1, RO 
OE re s §8 iit 1$: INCW  14(RO) 
5 p tt CLRL = RO 
4 00013 RET 


3; Routine Size: 20 bytes, Routine Base: SCODE$ + 0210 


<o 
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BREAKIN 1b-Se =1984 01:49:34 AX=1 
v04-0 14-Sep 4 Matioe 


; of 167 1 poy ie add_suspect (type, data, time) = 

: 474 rhe: 

s 4675 470 lee4 

; 476 0471 ! 

; oir pete Add a suspect block 

: 479 0474 i Inputs: 

; 480 0475 ! type - type code of data 

> «481 0476 ' data - data string to match on 

; re beet } time - time of login attempt 

: 484 Bere i Outputs: 

; 485 0480 ! None. 

; 486 0481 ! 

: 487 bees leon 

; $88 048 

: 489 0484 BUILTIN 

Ps mul, 
; 491 0486 dan. 

2 Piss | 9 ae, 

> 494 0489 2 LOCAL 

; 495 0490 size, 

: rey ed: cia : REF S$BBLOCK; 

: 498 049 

: $30 Beoe } Get a chunk of non-paged pool. 

: 501 0496 IF NOT exe$alononpaged(cia$c_ length; size, cia) 

: ane Rees THEN RETURN 1; 

: 504 0499 2! 

H +4 bes Fill in the block. 

: 507 3206 cia ciaSw_size] = .size; ' Put in size 

3; 508 050 cialcia$b_ -typed = dyn$c_ cia; i Type 

; 509 0504 cia ciasb_ subty e] = .type; i Data t ype 

s 310 Bene cialcia$w_flag y= i This iz a suspect 
s 311 506 cia rc iasu. count i Tried one time 

; 21g 0507 emul Xe Sol bod tm a. i Convert timeout into 
; 31 0508 cr 0000005, i delta time 

: 13 B246 + ef : 1 F . i and add to current time | 
5 alcia m 

; até o3t? addm ( ; tines” eTeiziiee. time], cialcia$q_time]); 

: 3? O1¢ CHSROVE (cjaSs. data, | And this is the 

; i 0318 248F tast_datal): 

: 338 baig insque(.cia, .cia$gq_intruder(cia$l_blink]); ! Put at end of intruder queue 
; 0518 2 RETURN 1; 

: 524 0519 END; 


<o 


SUSPECT: 
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- #10000000, #0, 16(CIA) 


~ 


uw aew 


Re -RS.R4R5 ROR RB.RO.RIORIT 
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K 


e 
ie 

dE 
: 
$$ 
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IA 


0O>O0>— eens 
2-2 YC@-~-wswBOW~YB 


$1 


MOVL 
RET 
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Routine Base: $CODE$S + 0224 


88 bytes, 


3; Routine Size: 


; pet Used: 1 
; Compila 


32 pages 


tion Complete 


D 11 
BREAKIN 16-Sep-1984 01:49:34 AX-11 Bliss-32 V4.0-742 
v04-000 1o-808=138e %} 41:04 LOGIN. SRCJBREAKIN.B32;1 
; 258 S250 1 END 
; 0521 0 ELUDOM 
; PSECT SUMMARY 
; Name Bytes Attributes 
: SCODES 636 NOVEC,NOWRT, RD, EXE,NOSHR, LCL, REL, CON,NOPIC,ALIGN(2) 
: Library Statistics 
: corccecce Symbols -------- Pages Processing 
: File Total Loaded Percent Mapped ime 
: _$255$DUA28:C(SYSLIBILIB.L32;1 18619 24 0 1000 00:01.4 
: COMMAND QUALIFIERS 
: BLISS/CHECK=(FIELD, INITIAL,OPTIMIZE)/LIS=LIS$:BREAKIN/OBJ=OBJ$:BREAKIN MSRC$:BREAKIN/UPDATE=(ENH$: BREAKIN) 
3; Size: 636 code + 0 data bytes 
3; Run Time: :08. 
$ Elapsed Time: 00:35.8 
3; Lines/CPU Min: 3626 
3 Lexemes/CPU-Min: 195935 
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